Have you tried dovecot.conf?
[1:root@elmo fail2ban 1]$ rpm -qa | grep fail
fail2ban-server-0.9.3-1.fc22.noarch
fail2ban-systemd-0.9.3-1.fc22.noarch
[0:root@elmo filter.d]$ ls /etc/fail2ban/filter.d/
3proxy.conf common.conf guacamole.conf
perdition.conf sieve.conf
apache-auth.conf counter-strike.conf horde.conf
php-url-fopen.conf sogo-auth.conf
apache-badbots.conf courier-auth.conf ignorecommands
portsentry.conf solid-pop3d.conf
apache-botsearch.conf courier-smtp.conf kerio.conf
postfix.conf squid.conf
apache-common.conf cyrus-imap.conf lighttpd-auth.conf
postfix.local squirrelmail.conf
apache-common.local directadmin.conf monit.conf
postfix-rbl.conf sshd.conf
apache-fakegooglebot.conf dovecot.conf my_apache-wplogin.conf
postfix-sasl.conf sshd-ddos.conf
apache-modsecurity.conf dropbear.conf my_dovecot_secure.conf
postfix-sasl.local stunnel.conf
apache-nohome.conf drupal-auth.conf mysqld-auth.conf
proftpd.conf suhosin.conf
apache-noscript.conf ejabberd-auth.conf nagios.conf
pure-ftpd.conf tine20.conf
apache-noscript.local exim-common.conf named-refused.conf
qmail.conf uwimap-auth.conf
apache-overflows.conf exim.conf nginx-botsearch.conf
recidive.conf vsftpd.conf
apache-pass.conf exim-spam.conf nginx-http-auth.conf
roundcube-auth.conf webmin-auth.conf
apache-shellshock.conf freeswitch.conf nsd.conf
selinux-common.conf wuftpd.conf
assp.conf froxlor-auth.conf openwebmail.conf
selinux-ssh.conf xinetd-fail.conf
asterisk.conf groupoffice.conf oracleims.conf
sendmail-auth.conf
botsearch-common.conf gssftpd.conf pam-generic.conf
sendmail-reject.conf
I actually use my_dovecot_secure.conf:
failregex = auth:.+dovecot:auth.+authentication\s+failure;.+rhost=<HOST>
dovecot:.+rip=<HOST>.+wrong version number
dovecot:.+tried to use disallowed plaintext auth.+rip=<HOST>
dovecot:.+auth failed.+rip=<HOST>
HTH,
Bill
On 12/12/2015 10:48 PM, Brad wrote:
> I have installed Fail2ban on Centos 6.7 and configured it to handled failed
> login attempts to dovecot. I tried to configure it
> based on various different directions on the web, but no luck.
>
> It appears the filter is working correctly, but the action never seems to get
> executed
>
> fail2ban-client status dovecot-pop3imap
>
> ----------------------------------------------------------------
>
> Status for the jail: dovecot-pop3imap
>
> |- Filter
>
> | |- Currently failed: 1
>
> | |- Total failed: 9
>
> | `- File list: /var/log/maillog
>
> `- Actions
>
> |- Currently banned: 0
>
> |- Total banned: 0
>
> `- Banned IP list:
>
> ================================================================
>
> fail2ban-client –d
>
> ----------------------------------------------------------------
>
> ['set', 'syslogsocket', 'auto']
>
> ['set', 'loglevel', 'INFO']
>
> ['set', 'logtarget', '/var/log/fail2ban']
>
> ['set', 'dbfile', '/var/lib/fail2ban/fail2ban.sqlite3']
>
> ['set', 'dbpurgeage', 86400]
>
> ['add', 'dovecot-pop3imap', 'auto']
>
> ['set', 'dovecot-pop3imap', 'usedns', 'warn']
>
> ['set', 'dovecot-pop3imap', 'addlogpath', '/var/log/maillog', 'head']
>
> ['set', 'dovecot-pop3imap', 'maxretry', 20]
>
> ['set', 'dovecot-pop3imap', 'addignoreip', '127.0.0.1/8']
>
> ['set', 'dovecot-pop3imap', 'logencoding', 'auto']
>
> ['set', 'dovecot-pop3imap', 'bantime', 172800]
>
> ['set', 'dovecot-pop3imap', 'ignorecommand', '']
>
> ['set', 'dovecot-pop3imap', 'findtime', 3600]
>
> ['set', 'dovecot-pop3imap', 'addfailregex', '(?: pop3-login|imap-login):
> .*(?:Authentication failure|Aborted login \\(auth
> failed|Aborted login \\(tried to use disabled|Disconnected \\(auth
> failed|Aborted login \\(\\d+ authentication
> attempts).*rip=(?P<host>\\S*),.*']
>
> ['set', 'dovecot-pop3imap', 'addaction', 'iptables-multiport']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'actionban',
> '<iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'actionstop',
> '<iptables> -D <chain> -p <protocol> -m multiport
> --dports <port> -j f2b-<name>\n<iptables> -F f2b-<name>\n<iptables> -X
> f2b-<name>']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'actionstart',
> '<iptables> -N f2b-<name>\n<iptables> -A f2b-<name>
> -j <returntype>\n<iptables> -I <chain> -p <protocol> -m multiport --dports
> <port> -j f2b-<name>']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'actionunban',
> '<iptables> -D f2b-<name> -s <ip> -j <blocktype>']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'actioncheck',
> "<iptables> -n -L <chain> | grep -q 'f2b-<name>[ \\t]'"]
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'iptables',
> 'iptables <lockingopt>']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'known/chain',
> 'INPUT']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport',
> 'known/lockingopt', '']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'protocol', 'tcp']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'name',
> 'dovecot-pop3imap']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'chain', 'INPUT']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'known/__name__',
> 'Init']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'known/protocol',
> 'tcp']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'known/port',
> 'ssh']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport',
> 'known/returntype', 'RETURN']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'known/iptables',
> 'iptables <lockingopt>']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'lockingopt', '']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'known/name',
> 'default']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport',
> 'known/blocktype', 'REJECT --reject-with icmp-port-unreachable']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'returntype',
> 'RETURN']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'blocktype',
> 'REJECT --reject-with icmp-port-unreachable']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'port',
> 'pop3,pop3s,imap,imaps']
>
> ['set', 'dovecot-pop3imap', 'addaction', 'sendmail-whois']
>
> ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'actionban', 'printf
> %b "Subject: [Fail2Ban] <name>: banned <ip> from
> `uname -n`\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: <sendername>
> <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe IP <ip> has
> just been banned by Fail2Ban after\n<failures> attempts against
> <name>.\\n\\n\nHere is more information about <ip>
> :\\n\n`/usr/bin/whois <ip> || echo missing whois
> program`\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
>
> ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'actionstop', 'printf
> %b "Subject: [Fail2Ban] <name>: stopped on `uname
> -n`\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: <sendername>
> <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been
> stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
>
> ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'actionstart',
> 'printf %b "Subject: [Fail2Ban] <name>: started on `uname
> -n`\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: <sendername>
> <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been
> started successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f
> <sender> <dest>']
>
> ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'actionunban', '']
>
> ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'actioncheck', '']
>
> ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'name',
> 'dovecot-pop3imap']
>
> ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'known/sender',
> 'fail2ban']
>
> ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'dest',
> 'serverm...@myserver.com']
>
> ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'known/__name__',
> 'Init']
>
> ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'known/sendername',
> 'Fail2Ban']
>
> ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'known/dest', 'root']
>
> ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'sendername',
> 'Fail2Ban']
>
> ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'sender', 'fail2ban']
>
> ['start', 'dovecot-pop3imap']
>
> ================================================================
>
> Relevant part of jail.local
>
> ----------------------------------------------------------------
>
> [dovecot-pop3imap]
>
> enabled = true
>
> filter = dovecot-pop3imap
>
> port = pop3,pop3s,imap,imaps
>
> action = iptables-multiport[name=dovecot-pop3imap,
> port="pop3,pop3s,imap,imaps", protocol=tcp]
>
> sendmail-whois[name=dovecot-pop3imap, dest=serverm...@myserver.com]
>
> logpath = /var/log/maillog
>
> maxretry = 20
>
> findtime = 3600
>
> bantime = 172800
>
> ================================================================
>
> fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/dovecot-pop3imap.conf
>
> ----------------------------------------------------------------
>
> Running tests
>
> =============
>
> Use failregex filter file : dovecot-pop3imap, basedir: /etc/fail2ban
>
> Use log file : /var/log/maillog
>
> Use encoding : UTF-8
>
> Results
>
> =======
>
> Failregex: 927 total
>
> |- #) [# of hits] regular expression
>
> | 1) [927] (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted
> login \(auth failed|Aborted login \(tried to use
> disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication
> attempts).*rip=(?P<host>\S*),.*
>
> `-
>
> Ignoreregex: 0 total
>
> Date template hits:
>
> |- [# of hits] date format
>
> | [28894] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
>
> `-
>
> Lines: 28894 lines, 0 ignored, 927 matched, 27967 missed [processed in 3.86
> sec]
>
> Missed line(s): too many to print. Use --print-all-missed to print all 27967
> lines
>
> ================================================================
>
> No errors appear in the fail2ban log, even on Debug level of logging.
>
> Email seems to work fine for the shutdown and startup of Fail2ban
>
> Any ideas on why this may be happening?
>
> Did I overlook something or is there a typo in my work?
>
> Fail2ban version v0.9.3
>
> CentOS release 6.7 (Final)
>
> Thanks!!
>
>
>
> ------------------------------------------------------------------------------
>
>
>
> _______________________________________________
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
------------------------------------------------------------------------------
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
